Details

The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

It was found that the fixes for CVE-2013-1664 and CVE-2013-1665, releasedvia RHSA-2013:0658, did not fully correct the issues in the ExtensibleMarkup Language (XML) parser used by Cinder. A remote attacker could usethis flaw to send a specially-crafted request to a Cinder API, causingCinder to consume an excessive amount of CPU and memory, or possibly crash.(CVE-2013-4202)

A bug in the Cinder LVM driver prevented LVM snapshots from being securelydeleted in some cases, potentially leading to information disclosure toother tenants. (CVE-2013-4183)

The CVE-2013-4202 issue was discovered by Grant Murphy of the Red HatProduct Security Team.

Additionally, openstack-cinder has been rebased to the latest Grizzlystable release 2013.1.3. (BZ#993094)

All users of openstack-cinder are advised to upgrade to these updatedpackages, which correct these issues. After installing the updatedpackages, the Cinder running services will be restarted automatically.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.